CVE-2023-34475
Description
A heap use-after-free in ImageMagick's ReplaceXmpValue() function can lead to a denial of service when a user opens a crafted file.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
A heap use-after-free in ImageMagick's ReplaceXmpValue() function can lead to a denial of service when a user opens a crafted file.
Vulnerability
A heap use-after-free issue exists in ImageMagick's ReplaceXmpValue() function in MagickCore/profile.c. The bug occurs when the function manipulates the XMP profile data: after a SetStringInfoLength call that may resize the profile buffer, the internal pointer datum is not refreshed, leading to a use-after-free write on the now-stale pointer. This vulnerability can be triggered by a specially crafted image file, such as a TIM2 or JPEG, which causes a conversion operation to execute the vulnerable code path. Affected versions include ImageMagick prior to the commit that adds the fix [2].
Exploitation
An attacker must trick a user into opening a specially crafted image file (e.g., TIM2 or JPEG) with ImageMagick, for example via a convert command or through an application that uses ImageMagick for image processing. No authentication is required; the attack vector is local, relying on user interaction. Once the crafted file is opened, the ReplaceXmpValue() function is invoked, and the heap use-after-free write occurs, causing the application to crash [1][2].
Impact
Successful exploitation results in an application crash (denial of service). The vulnerability is limited to causing a heap-use-after-free write, which can lead to memory corruption and termination of the process. There is no evidence in the available references of code execution or data exfiltration; the impact is confined to availability [1][2].
Mitigation
The issue is fixed in ImageMagick commit 1061db7f80fdc9ef572ac60b55f408f7bab6e1b0, which refreshes the datum pointer after resizing the profile buffer [2]. Users should update to a version that includes this commit or later. Red Hat has acknowledged the CVE and likely released updated packages [1]. Fedora package announcements contain update advisories [3][4]. No workaround is provided in the references. If patching is not possible, users can avoid opening untrusted image files with ImageMagick.
- cve-details
- carefully crafted image files (TIM2, JPEG) no longer overflow buffer … · ImageMagick/ImageMagick@1061db7
- lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/45DUUXYMAEEAW55GSLAXN25VPKCRAIDA/
- lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/4UFQJCYJ23HWHNDOVKBHZQ7HCXXL6MM3/
AI Insight generated on May 25, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
7(expand)+ 1 more
- (no CPE)
- (no CPE)
- osv-coords5 versionspkg:apk/chainguard/imagemagick-6pkg:apk/chainguard/imagemagick-6-devpkg:apk/chainguard/imagemagick-6-docpkg:apk/chainguard/imagemagick-6-staticpkg:rpm/opensuse/ImageMagick&distro=openSUSE%20Tumbleweed
< 0+ 4 more
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 7.1.1.11-2.1
Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"A heap use-after-free vulnerability exists in the ReplaceXmpValue function."
Attack vector
An attacker can trick a user into opening a specially crafted file for conversion. This action triggers a heap use-after-free write error within the ReplaceXmpValue function. The vulnerability can lead to an application crash, resulting in a denial of service.
Affected code
The vulnerability is located in the ReplaceXmpValue function within the file MagickCore/profile.c. The patch also addresses related memory allocation issues in ReadTIM2ImageData.
What the fix does
The patch modifies the ReplaceXmpValue function by ensuring that the profile's length is correctly set before memory operations like memmove and memcpy. Additionally, it adjusts the memory allocation for clut_data in ReadTIM2ImageData to prevent potential overflows by using MagickMax. These changes prevent the heap use-after-free condition by properly managing memory boundaries and allocation sizes.
Preconditions
- inputThe user must open a specially crafted file for conversion.
Generated on Jun 8, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
5- lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/45DUUXYMAEEAW55GSLAXN25VPKCRAIDA/mitrevendor-advisory
- lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/4UFQJCYJ23HWHNDOVKBHZQ7HCXXL6MM3/mitrevendor-advisory
- access.redhat.com/security/cve/CVE-2023-34475mitre
- bugzilla.redhat.com/show_bug.cgimitre
- github.com/ImageMagick/ImageMagick/commit/1061db7f80fdc9ef572ac60b55f408f7bab6e1b0mitre
News mentions
0No linked articles in our index yet.